design for storing trusted domain passwords in ldap
Andrew Bartlett
abartlet at samba.org
Mon Jan 22 09:51:22 GMT 2007
On Mon, 2007-01-22 at 10:37 +0100, Volker Lendecke wrote:
> On Mon, Jan 22, 2007 at 10:32:26AM +0100, Michael Adam wrote:
> > 2) additional attribute sambaPasswordHistory (along with
> > sambaPwdHistoryLength) in sambaTrustedDomainPassword
>
> The sambaPwdHistoryLength would not be necessary I think.
> You should be able to figure that out from the value length.
I don't like the idea of overloading the sambaPasswordHistory. The
existing format of this attribute is <16 bytes of salt><MD5(salt
+NTpassword). We need the original plaintext or NT password here.
BTW, I should have mentioned: If we store the plaintext password for
the trust, then it becomes possible to upgrade to using Kerberos to
contact the trusted domains. This may be desirable, even if we are not
'doing ADS'.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc. http://redhat.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20070122/2eb3d771/attachment.bin
More information about the samba-technical
mailing list